DDosMon A Global DDoS Monitoring Project by Yiming Gong. A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.

1. DDoSMon
A Global DDoS Monitoring Project
APNIC 42
Yiming Gong
Network Security Research Lab, Qihoo 360
netlab.360.com

2. About
• About 360.com
• The biggest internet security company in China
• More than 500 million monthly active Internet users, according to iResearch.
• About me
• Director of the network security research lab
• Passivedns https://passivedns.cn
• Ddosmon https://ddosmon.net
• Scanmon http://scan.netlab.360.com/
• Opendata http://open.netlab.360.com DGA, EK, etc
• And few other projects

3. Motivation
• DDoS is one of the biggest internet security threat globally
• Akamai: 129% increase in DDOS attacks in the second quarter of 2016
(https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/akamai-q2-2016-
internet-security-executive-review.pdf)
• Versign: DDOS attacks are becoming more sophisticated and persistent in the
second quarter of 2016
(https://www.verisign.com/assets/report-ddos-trends-Q22016.pdf)
• There is a lack of true visibility regarding to DDoS incident
• Most of the time, only the victims and the big pipe providers know what
happen
• Sometimes they don’t even have the needed visibility

4. Realtime Global DDoS attacks monitoring
https://ddosmon.net
• On average it sees more than 20,000 DDoS attacks every day(one of the
biggest?)

5. How does DDoSMon Work
• Mainly based on three major components
o Realtime NetFlow traffic (layer4)
o Realtime DNS traffic(DNS amp, DNS reflection..etc)
o Realtime DDoS botnet command tracking system

6. 1: Realtime NetFlow Traffic
• Collect huge volume NetFlow from various networks
o Large network backbone routers
o User contribute flows
oHandle more than 30 billions NetFlow records every day
oData is processed in near real-time

7. NetFlow Based Attacks Detecting
Spike detecting
The first important step for the heuristic DDoS
attacks recognition
• Cumulative moving average
algorithm
Characteristics recognition
Different DDoS attack vectors usually presents a
certain characteristic on NetFlow traffic.
• Amplification flood
1. More than 90% traffic is UDP
2. Most of the packets from some fixed
suspicious source port e.g. 19, 53, 123, 1900, 0
3. Most of the packet has large bytes
• SYN flood
1. More than 90% traffic is TCP
2. All TCP Flags only has SYN Flag set packets
3. Source IP address distribution normally not
enough random

8. 2: Realtime DNS Traffic
• Process 240 billions DNS requests every day which covers about
10% total DNS traffic in China
• We also operate a Passive DNS platform http://passivedns.cn

9. Realtime DNS Traffic
• What can we get from DNS traffic?
o The ability to monitor Domains instead of just IPs.
o DNS reflection/amplification attacks
o Random subdomain attacks

10. Realtime DNS Traffic – DNS
reflection/amplification attacks
• $ dig cpsc.gov any +tcp

11. Realtime DNS Traffic – DNS
reflection/amplification attacks
• www.bankofamerica.com was attacked on Sep.14
• Attacker uses BOA address as query source to ask open dns resolvers for
cpsc.gov
• The dns responses from the open resolvers flooded BOA address

12. Realtime DNS Traffic – DNS
reflection/amplification attacks
• Live data

13. Realtime DNS Traffic – DNS Random
subdomain attacks
• Random subdomain attacks
• Attack is to attack DNS authoritative provider
• Mostly dns open resolvers as query sources
• High volume of queries for nonexistant subdomains
• Nonexistant subdomains so no local cache
• So the query will always reach the dns authoritative server

14. Realtime DNS Traffic – DNS Random
subdomain attacks
• Random subdomain attacks

15. Realtime DNS Traffic – DNS Random
subdomain attacks
• Random subdomain attacks

16. 3: Realtime DDoS Botnet Command Tracking
System
• A live ddos botnet c2 tracking system
• For some big ddos botnet families, track the analysis their C2 communication
protocols
• ~190k C2 servers (IP + Port)
• Logged ~400M DDoS related instructions
o Elknot (AKA. Linux/BillGates), A notorious DDoS botnet which runs on both Linux and
Windows. Most be used launch SYN Flooding attacks.
o LDX (AKA. Xor.DDoS), A rojan malware attackers are using to hijack Linux machines to include
within a botnet for DDoS. Commonly be used launch SYN Flooding and DNS Flooding attacks.

17. DDoS Botnet Tracking System
• Example
• 23.73.108.99
• www.microsoft.com

18. DDoS Botnet Tracking System
• Example
• 23.73.108.99 www.microsoft.com
• time botname cc_server cc_ip cc_port type atk_type target_host target_port notes
• 2016-09-23 01:57:43 ldx aaa.gggatat456.com 164.132.170.78 6003 ddos syn_flood 23.73.108.99 80
syn_flood, target=23.73.108.99, port=80, atk_time=30s, payload_size=888, tasks=11, use_fake_source_ip
• C2 family: LDX
• C2 server: aaa.gggatat456.com (164.132.170.78)
• C2 Port: 6003
• Attack: syn flood
• Target ip and port 23.73.108.99 port 80

19. DDoS Attack Detecting Procedure
1
5
4
3
2

20. A few cases
• Case 1 : Target *.root-servers.net
• Case 2: Target *.gov

21. Case1: Attacks Target *.root-servers.net
• We detected 45 attacks against root-servers.net so far this year
• a, b, c, d, e, f, g, h, i, l, m.root-servers.net been attacked
• UDP reflection amplification and SYN flood are the major attack vectors

22. Case 1: e, g.root-servers.net be SYN Flood
• From Jun.25 22:00 to Jun.26 01:00 e.root-servers.net and g.root-
servers.net were SYN flooded
• An obvious spike can be observed for e.root-
servers.net(192.203.230.10) and g.root-servers.net(192.112.36.4),
and the spikes have highly similar pattern
The traffic figure of 192.203.230.10 from 2016-06-22 00:32:30 to 2016-06-28 23:59:50

23. Case 1: e, g.root-servers.net
• NetFlow records
o TCP packet percentage is extreme highly
compare to normal DNS traffic
o Almost all the TCP packets carry SYN flag
o The Source IP seems spoofed
183.131.2.66
183.131.2.67
183.131.2.70
183.131.2.71
183.131.2.72

24. Case 1: e, g.root-servers.net SYN Flood
• Botnet command and controller(C2) and attacking instructions have
been logged (botnet family : elknot)
• 18 related C2 servers logged in this attack

25. Case 2: .gov ddos
• We detected 94 attacks target .gov sites last month.
(Aug. 10 – Sep.10 )
• whitehouse.gov , fbi.gov, nasa.gov, e.g.
• Reflection/Amplification are the most popular
attack vectors, 65%+,
o DNS > NTP> Chargen > SSDP is most be used UDP
protocol to launch amplification attacks

26. Case 2: Attack Target nsa.gov
• We detected nsa.gov(23.196.119.211) briefly been UDP
reflection/amplification attacked at 11:30:00(UTC) on Aug.19
• An obvious spike
The traffic figure of 23.196.119.211 from 2016-08-15 13:15:55 to 2016-08-22 10:52:52

27. Case 2: Attack Target nsa.gov
• UDP reflection amplification
• Mixed mulitiple attack vectors
o UDP port 1900 SSDP-based DDoS
o UDP port 123 NTP-based DDoS
o UDP port 53 DNS reflection DDoS
oPacket size is unusually large, Most of
the packet sizes are 1500 bytes
reaching MTU threshold

28. DDoSMon System Demo
• Demonstration

29. How can I contribute
• More netflow data means more coverage
• Have netflow data to contribute?

30. Thanks
http://netlab.360.com